ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

more code format

Browse Source
This commit is contained in:
van Hauser
2020-03-09 08:30:28 +01:00
parent 0581f6ec00
commit 36ce9c1fb9
13 changed files with 143 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
examples/custom_mutators/example.c
View File

@ -38,18 +38,17 @@ void afl_custom_init(unsigned int seed) {
* produce data larger than max_size. * produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf,
uint8_t *add_buf,size_t add_buf_size, // add_buf can be NULL size_t add_buf_size, // add_buf can be NULL
size_t max_size) { size_t max_size) {
// Make sure that the packet size does not exceed the maximum size expected by // Make sure that the packet size does not exceed the maximum size expected by
// the fuzzer // the fuzzer
size_t mutated_size = data_size <= max_size ? data_size : max_size; size_t mutated_size = data_size <= max_size ? data_size : max_size;
if (mutated_size > buf_size) if (mutated_size > buf_size) *buf = realloc(*buf, mutated_size);
*buf = realloc(*buf, mutated_size);
uint8_t *mutated_out = *buf;
uint8_t* mutated_out = *buf;
// Randomly select a command string to add as a header to the packet // Randomly select a command string to add as a header to the packet
memcpy(mutated_out, commands[rand() % 3], 3); memcpy(mutated_out, commands[rand() % 3], 3);
@ -94,9 +93,9 @@ size_t afl_custom_pre_save(uint8_t *buf, size_t buf_size, uint8_t **out_buf) {
} }
static uint8_t *trim_buf; static uint8_t *trim_buf;
static size_t trim_buf_size; static size_t trim_buf_size;
static int trimmming_steps; static int trimmming_steps;
static int cur_step; static int cur_step;
/** /**
* This method is called at the start of each trimming operation and receives * This method is called at the start of each trimming operation and receives
@ -147,7 +146,7 @@ int afl_custom_init_trim(uint8_t *buf, size_t buf_size) {
* the memory after saving the test case. * the memory after saving the test case.
* @param[out] out_buf_size Pointer to the size of the trimmed test case * @param[out] out_buf_size Pointer to the size of the trimmed test case
*/ */
void afl_custom_trim(uint8_t **out_buf, size_t* out_buf_size) { void afl_custom_trim(uint8_t **out_buf, size_t *out_buf_size) {
*out_buf_size = trim_buf_size - 1; *out_buf_size = trim_buf_size - 1;
@ -172,8 +171,10 @@ void afl_custom_trim(uint8_t **out_buf, size_t* out_buf_size) {
int afl_custom_post_trim(int success) { int afl_custom_post_trim(int success) {
if (success) { if (success) {
++cur_step; ++cur_step;
return cur_step; return cur_step;
} }
return trimmming_steps; return trimmming_steps;
@ -193,7 +194,8 @@ int afl_custom_post_trim(int success) {
* not produce data larger than max_size. * not produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size) { size_t afl_custom_havoc_mutation(uint8_t **buf, size_t buf_size,
size_t max_size) {
if (buf_size == 0) { if (buf_size == 0) {
@ -205,7 +207,7 @@ size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size
size_t victim = rand() % buf_size; size_t victim = rand() % buf_size;
(*buf)[victim] += rand() % 10; (*buf)[victim] += rand() % 10;
return buf_size; return buf_size;
} }
@ -220,7 +222,7 @@ size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size
*/ */
uint8_t afl_custom_havoc_mutation_probability(void) { uint8_t afl_custom_havoc_mutation_probability(void) {
return 5; // 5 % return 5; // 5 %
} }
@ -233,14 +235,14 @@ uint8_t afl_custom_havoc_mutation_probability(void) {
* @return Return True(1) if the fuzzer will fuzz the queue entry, and * @return Return True(1) if the fuzzer will fuzz the queue entry, and
* False(0) otherwise. * False(0) otherwise.
*/ */
uint8_t afl_custom_queue_get(const uint8_t* filename) { uint8_t afl_custom_queue_get(const uint8_t *filename) {
return 1; return 1;
} }
/** /**
* Allow for additional analysis (e.g. calling a different tool that does a * Allow for additional analysis (e.g. calling a different tool that does a
* different kind of coverage and saves this for the custom mutator). * different kind of coverage and saves this for the custom mutator).
* *
* (Optional) * (Optional)
@ -248,8 +250,8 @@ uint8_t afl_custom_queue_get(const uint8_t* filename) {
* @param filename_new_queue File name of the new queue entry * @param filename_new_queue File name of the new queue entry
* @param filename_orig_queue File name of the original queue entry * @param filename_orig_queue File name of the original queue entry
*/ */
void afl_custom_queue_new_entry(const uint8_t* filename_new_queue, void afl_custom_queue_new_entry(const uint8_t *filename_new_queue,
const uint8_t* filename_orig_queue) { const uint8_t *filename_orig_queue) {
/* Additional analysis on the original or new test case */ /* Additional analysis on the original or new test case */

21
include/afl-fuzz.h
View File

@ -461,8 +461,9 @@ extern s32 cmplog_child_pid, cmplog_forksrv_pid;
/* Custom mutators */ /* Custom mutators */
struct custom_mutator { struct custom_mutator {
const char* name; const char* name;
void* dh; void* dh;
/* hooks for the custom mutator function */ /* hooks for the custom mutator function */
@ -485,8 +486,8 @@ struct custom_mutator {
* @param[in] buf_size Size of the input/output data * @param[in] buf_size Size of the input/output data
* @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf Buffer containing the additional test case
* @param[in] add_buf_size Size of the additional test case * @param[in] add_buf_size Size of the additional test case
* @param[in] max_size Maximum size of the mutated output. The mutation must not * @param[in] max_size Maximum size of the mutated output. The mutation must
* produce data larger than max_size. * not produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf, size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf,
@ -560,7 +561,7 @@ struct custom_mutator {
* steps returned in init_trim) * steps returned in init_trim)
*/ */
u32 (*afl_custom_post_trim)(u8 success); u32 (*afl_custom_post_trim)(u8 success);
/** /**
* Perform a single custom mutation on a given input. * Perform a single custom mutation on a given input.
* This mutation is stacked with the other muatations in havoc. * This mutation is stacked with the other muatations in havoc.
@ -574,8 +575,9 @@ struct custom_mutator {
* not produce data larger than max_size. * not produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, size_t max_size); size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size,
size_t max_size);
/** /**
* Return the probability (in percentage) that afl_custom_havoc_mutation * Return the probability (in percentage) that afl_custom_havoc_mutation
* is called in havoc. By default it is 6 %. * is called in havoc. By default it is 6 %.
@ -598,7 +600,7 @@ struct custom_mutator {
u8 (*afl_custom_queue_get)(const u8* filename); u8 (*afl_custom_queue_get)(const u8* filename);
/** /**
* Allow for additional analysis (e.g. calling a different tool that does a * Allow for additional analysis (e.g. calling a different tool that does a
* different kind of coverage and saves this for the custom mutator). * different kind of coverage and saves this for the custom mutator).
* *
* (Optional) * (Optional)
@ -609,6 +611,7 @@ struct custom_mutator {
*/ */
void (*afl_custom_queue_new_entry)(const u8* filename_new_queue, void (*afl_custom_queue_new_entry)(const u8* filename_new_queue,
const u8* filename_orig_queue); const u8* filename_orig_queue);
}; };
extern struct custom_mutator* mutator; extern struct custom_mutator* mutator;
@ -680,8 +683,8 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf);
/* Python */ /* Python */
#ifdef USE_PYTHON #ifdef USE_PYTHON
int init_py_module(u8*); int init_py_module(u8*);
void finalize_py_module(); void finalize_py_module();
void init_py(unsigned int); void init_py(unsigned int);
size_t fuzz_py(u8**, size_t, u8*, size_t, size_t); size_t fuzz_py(u8**, size_t, u8*, size_t, size_t);

35
include/envs.h
View File

@ -1,11 +1,10 @@
const char *afl_environment_variables[] = { const char *afl_environment_variables[] = {
"AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS", "AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS",
"AFL_AUTORESUME", "AFL_AUTORESUME", "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE",
"AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE", "AFL_BENCH_UNTIL_CRASH", "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY",
"AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMIN_CRASHES_ONLY", "AFL_CODE_END", "AFL_CODE_START",
"AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME", "AFL_COMPCOV_BINNAME", "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY",
"AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY",
"AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT",
//"AFL_DEFER_FORKSRV", // not implemented anymore, so warn additionally //"AFL_DEFER_FORKSRV", // not implemented anymore, so warn additionally
"AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", "AFL_DUMB_FORKSRV", "AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", "AFL_DUMB_FORKSRV",
@ -19,21 +18,19 @@ const char *afl_environment_variables[] = {
"AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS",
"AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES",
"AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY",
"AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH",
"AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI",
"AFL_NO_UI",
"AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_PATH", "AFL_PERFORMANCE_FILE", "AFL_PATH", "AFL_PERFORMANCE_FILE",
//"AFL_PERSISTENT", // not implemented anymore, so warn additionally //"AFL_PERSISTENT", // not implemented anymore, so warn additionally
"AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV",
"AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE",
"AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT",
"AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK",
"AFL_QEMU_PERSISTENT_HOOK", "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RETADDR_OFFSET",
"AFL_QEMU_PERSISTENT_RETADDR_OFFSET", "AFL_QUIET", "AFL_QUIET", "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH",
"AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH", "AFL_SHUFFLE_QUEUE", "AFL_SHUFFLE_QUEUE", "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ",
"AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ", "AFL_SKIP_CRASHES", "AFL_SKIP_CRASHES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE",
"AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC",
"AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", "AFL_USE_UBSAN", "AFL_WINE_PATH", NULL};
"AFL_WINE_PATH", NULL};

11
qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
View File

@ -34,7 +34,7 @@
#include "afl-qemu-common.h" #include "afl-qemu-common.h"
#include "tcg.h" #include "tcg.h"
void HELPER(afl_entry_routine)(CPUArchState *env) { void HELPER(afl_entry_routine)(CPUArchState* env) {
afl_forkserver(ENV_GET_CPU(env)); afl_forkserver(ENV_GET_CPU(env));
@ -171,7 +171,7 @@ static int area_is_mapped(void* ptr, size_t len) {
} }
void HELPER(afl_cmplog_rtn)(CPUX86State *env) { void HELPER(afl_cmplog_rtn)(CPUX86State* env) {
#if defined(TARGET_X86_64) #if defined(TARGET_X86_64)
@ -181,9 +181,9 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) {
#elif defined(TARGET_I386) #elif defined(TARGET_I386)
target_ulong* stack = g2h(env->regs[R_ESP]); target_ulong* stack = g2h(env->regs[R_ESP]);
if (!area_is_mapped(stack, sizeof(target_ulong)*2)) return; if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return;
// when this hook is executed, the retaddr is not on stack yet // when this hook is executed, the retaddr is not on stack yet
void* ptr1 = g2h(stack[0]); void* ptr1 = g2h(stack[0]);
void* ptr2 = g2h(stack[1]); void* ptr2 = g2h(stack[1]);
@ -217,3 +217,4 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) {
ptr2, 32); ptr2, 32);
} }

2
src/afl-fuzz-globals.c
View File

@ -256,7 +256,7 @@ u8 *cmplog_binary;
s32 cmplog_child_pid, cmplog_forksrv_pid; s32 cmplog_child_pid, cmplog_forksrv_pid;
/* Custom mutator */ /* Custom mutator */
struct custom_mutator* mutator; struct custom_mutator *mutator;
/* Interesting values, as per config.h */ /* Interesting values, as per config.h */

7
src/afl-fuzz-init.c
View File

@ -990,7 +990,7 @@ dir_cleanup_failed:
} }
/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer /* Delete fuzzer output directory if we recognize it as ours, if the fuzzer
is not currently running, and if the last run time isn't too great. is not currently running, and if the last run time isn't too great.
Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */ Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */
static void handle_existing_out_dir(void) { static void handle_existing_out_dir(void) {
@ -1036,10 +1036,11 @@ static void handle_existing_out_dir(void) {
fclose(f); fclose(f);
/* Autoresume treats a normal run as in_place_resume if a valid out dir already exists */ /* Autoresume treats a normal run as in_place_resume if a valid out dir
* already exists */
if (!in_place_resume && autoresume) { if (!in_place_resume && autoresume) {
OKF("Detected prior run with AFL_AUTORESUME set. Resuming."); OKF("Detected prior run with AFL_AUTORESUME set. Resuming.");
in_place_resume = 1; in_place_resume = 1;

39
src/afl-fuzz-mutators.c
View File

@ -36,6 +36,7 @@ void setup_custom_mutator(void) {
u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY");
if (fn) { if (fn) {
if (limit_time_sig) if (limit_time_sig)
FATAL( FATAL(
"MOpt and custom mutator are mutually exclusive. We accept pull " "MOpt and custom mutator are mutually exclusive. We accept pull "
@ -45,6 +46,7 @@ void setup_custom_mutator(void) {
load_custom_mutator(fn); load_custom_mutator(fn);
return; return;
} }
/* Try Python module */ /* Try Python module */
@ -65,6 +67,7 @@ void setup_custom_mutator(void) {
load_custom_mutator_py(module_name); load_custom_mutator_py(module_name);
} }
#else #else
if (getenv("AFL_PYTHON_MODULE")) if (getenv("AFL_PYTHON_MODULE"))
FATAL("Your AFL binary was built without Python support"); FATAL("Your AFL binary was built without Python support");
@ -75,16 +78,20 @@ void setup_custom_mutator(void) {
void destroy_custom_mutator(void) { void destroy_custom_mutator(void) {
if (mutator) { if (mutator) {
if (mutator->dh) if (mutator->dh)
dlclose(mutator->dh); dlclose(mutator->dh);
else { else {
/* Python mutator */ /* Python mutator */
#ifdef USE_PYTHON #ifdef USE_PYTHON
finalize_py_module(); finalize_py_module();
#endif #endif
} }
ck_free(mutator); ck_free(mutator);
} }
} }
@ -104,8 +111,7 @@ void load_custom_mutator(const char* fn) {
/* Mutator */ /* Mutator */
/* "afl_custom_init", optional for backward compatibility */ /* "afl_custom_init", optional for backward compatibility */
mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); mutator->afl_custom_init = dlsym(dh, "afl_custom_init");
if (!mutator->afl_custom_init) if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found.");
WARNF("Symbol 'afl_custom_init' not found.");
/* "afl_custom_fuzz" or "afl_custom_mutator", required */ /* "afl_custom_fuzz" or "afl_custom_mutator", required */
mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz");
@ -133,8 +139,7 @@ void load_custom_mutator(const char* fn) {
/* "afl_custom_trim", optional */ /* "afl_custom_trim", optional */
mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim");
if (!mutator->afl_custom_trim) if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found.");
WARNF("Symbol 'afl_custom_trim' not found.");
/* "afl_custom_post_trim", optional */ /* "afl_custom_post_trim", optional */
mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim");
@ -151,14 +156,15 @@ void load_custom_mutator(const char* fn) {
"trimming will be used."); "trimming will be used.");
} }
/* "afl_custom_havoc_mutation", optional */ /* "afl_custom_havoc_mutation", optional */
mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation");
if (!mutator->afl_custom_havoc_mutation) if (!mutator->afl_custom_havoc_mutation)
WARNF("Symbol 'afl_custom_havoc_mutation' not found."); WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
/* "afl_custom_havoc_mutation", optional */ /* "afl_custom_havoc_mutation", optional */
mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); mutator->afl_custom_havoc_mutation_probability =
dlsym(dh, "afl_custom_havoc_mutation_probability");
if (!mutator->afl_custom_havoc_mutation_probability) if (!mutator->afl_custom_havoc_mutation_probability)
WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
@ -175,8 +181,7 @@ void load_custom_mutator(const char* fn) {
OKF("Custom mutator '%s' installed successfully.", fn); OKF("Custom mutator '%s' installed successfully.", fn);
/* Initialize the custom mutator */ /* Initialize the custom mutator */
if (mutator->afl_custom_init) if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF));
mutator->afl_custom_init(UR(0xFFFFFFFF));
} }
@ -309,8 +314,7 @@ void load_custom_mutator_py(const char* module_name) {
mutator->name = module_name; mutator->name = module_name;
ACTF("Loading Python mutator library from '%s'...", module_name); ACTF("Loading Python mutator library from '%s'...", module_name);
if (py_functions[PY_FUNC_INIT]) if (py_functions[PY_FUNC_INIT]) mutator->afl_custom_init = init_py;
mutator->afl_custom_init = init_py;
/* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator
is quite different from the custom mutator. */ is quite different from the custom mutator. */
@ -325,14 +329,14 @@ void load_custom_mutator_py(const char* module_name) {
if (py_functions[PY_FUNC_POST_TRIM]) if (py_functions[PY_FUNC_POST_TRIM])
mutator->afl_custom_post_trim = post_trim_py; mutator->afl_custom_post_trim = post_trim_py;
if (py_functions[PY_FUNC_TRIM]) if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py;
mutator->afl_custom_trim = trim_py;
if (py_functions[PY_FUNC_HAVOC_MUTATION]) if (py_functions[PY_FUNC_HAVOC_MUTATION])
mutator->afl_custom_havoc_mutation = havoc_mutation_py; mutator->afl_custom_havoc_mutation = havoc_mutation_py;
if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY])
mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py; mutator->afl_custom_havoc_mutation_probability =
havoc_mutation_probability_py;
if (py_functions[PY_FUNC_QUEUE_GET]) if (py_functions[PY_FUNC_QUEUE_GET])
mutator->afl_custom_queue_get = queue_get_py; mutator->afl_custom_queue_get = queue_get_py;
@ -343,8 +347,9 @@ void load_custom_mutator_py(const char* module_name) {
OKF("Python mutator '%s' installed successfully.", module_name); OKF("Python mutator '%s' installed successfully.", module_name);
/* Initialize the custom mutator */ /* Initialize the custom mutator */
if (mutator->afl_custom_init) if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF));
mutator->afl_custom_init(UR(0xFFFFFFFF));
} }
#endif #endif

30
src/afl-fuzz-one.c
View File

@ -359,8 +359,7 @@ u8 fuzz_one_original(char** argv) {
/* The custom mutator will decide to skip this test case or not. */ /* The custom mutator will decide to skip this test case or not. */
if (!mutator->afl_custom_queue_get(queue_cur->fname)) if (!mutator->afl_custom_queue_get(queue_cur->fname)) return 1;
return 1;
} }
@ -1552,7 +1551,7 @@ custom_mutator_stage:
const u32 max_seed_size = MAX_FILE; const u32 max_seed_size = MAX_FILE;
orig_hit_cnt = queued_paths + unique_crashes; orig_hit_cnt = queued_paths + unique_crashes;
for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
struct queue_entry* target; struct queue_entry* target;
@ -1597,10 +1596,9 @@ custom_mutator_stage:
new_buf = ck_alloc_nozero(target->len); new_buf = ck_alloc_nozero(target->len);
ck_read(fd, new_buf, target->len, target->fname); ck_read(fd, new_buf, target->len, target->fname);
close(fd); close(fd);
size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, new_buf,
new_buf, target->len, target->len, max_seed_size);
max_seed_size);
ck_free(new_buf); ck_free(new_buf);
@ -1629,7 +1627,7 @@ custom_mutator_stage:
} }
} }
if (mutated_size < len) out_buf = ck_realloc(out_buf, len); if (mutated_size < len) out_buf = ck_realloc(out_buf, len);
memcpy(out_buf, in_buf, len); memcpy(out_buf, in_buf, len);
@ -1688,13 +1686,15 @@ havoc_stage:
havoc_queued = queued_paths; havoc_queued = queued_paths;
u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation);
u8 stacked_custom_prob = 6; // like one of the default mutations in havoc u8 stacked_custom_prob = 6; // like one of the default mutations in havoc
if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) { if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) {
stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability(); stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability();
if (stacked_custom_prob > 100) if (stacked_custom_prob > 100)
FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100."); FATAL(
"The probability returned by afl_custom_havoc_mutation_propability "
"has to be in the range 0-100.");
} }
@ -1708,12 +1708,12 @@ havoc_stage:
stage_cur_val = use_stacking; stage_cur_val = use_stacking;
for (i = 0; i < use_stacking; ++i) { for (i = 0; i < use_stacking; ++i) {
if (stacked_custom && UR(100) < stacked_custom_prob) { if (stacked_custom && UR(100) < stacked_custom_prob) {
temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len, temp_len =
MAX_FILE); mutator->afl_custom_havoc_mutation(&out_buf, temp_len, MAX_FILE);
} }
switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {

34
src/afl-fuzz-python.c
View File

@ -80,6 +80,7 @@ int init_py_module(u8* module_name) {
py_notrim = 1; py_notrim = 1;
} else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) && } else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) &&
(py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) { (py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) {
// Implenting the havoc and queue API is optional for now // Implenting the havoc and queue API is optional for now
@ -140,6 +141,7 @@ void finalize_py_module() {
} }
void init_py(unsigned int seed) { void init_py(unsigned int seed) {
PyObject *py_args, *py_value; PyObject *py_args, *py_value;
/* Provide the init function a seed for the Python RNG */ /* Provide the init function a seed for the Python RNG */
@ -171,12 +173,13 @@ void init_py(unsigned int seed) {
return; return;
} }
} }
size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
size_t max_size) { size_t max_size) {
size_t mutated_size; size_t mutated_size;
PyObject *py_args, *py_value; PyObject *py_args, *py_value;
py_args = PyTuple_New(3); py_args = PyTuple_New(3);
@ -224,8 +227,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
if (py_value != NULL) { if (py_value != NULL) {
mutated_size = PyByteArray_Size(py_value); mutated_size = PyByteArray_Size(py_value);
if (buf_size < mutated_size) if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size);
*buf = ck_realloc(*buf, mutated_size);
memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value); Py_DECREF(py_value);
@ -242,7 +244,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
size_t pre_save_py(u8* buf, size_t buf_size, u8** out_buf) { size_t pre_save_py(u8* buf, size_t buf_size, u8** out_buf) {
size_t out_buf_size; size_t out_buf_size;
PyObject *py_args, *py_value; PyObject *py_args, *py_value;
py_args = PyTuple_New(1); py_args = PyTuple_New(1);
py_value = PyByteArray_FromStringAndSize(buf, buf_size); py_value = PyByteArray_FromStringAndSize(buf, buf_size);
@ -377,7 +379,7 @@ void trim_py(u8** out_buf, size_t* out_buf_size) {
size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) { size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) {
size_t mutated_size; size_t mutated_size;
PyObject *py_args, *py_value; PyObject *py_args, *py_value;
py_args = PyTuple_New(2); py_args = PyTuple_New(2);
@ -414,9 +416,8 @@ size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) {
if (py_value != NULL) { if (py_value != NULL) {
mutated_size = PyByteArray_Size(py_value); mutated_size = PyByteArray_Size(py_value);
if (buf_size < mutated_size) if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size);
*buf = ck_realloc(*buf, mutated_size);
memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value); Py_DECREF(py_value);
@ -436,7 +437,8 @@ u8 havoc_mutation_probability_py(void) {
PyObject *py_args, *py_value; PyObject *py_args, *py_value;
py_args = PyTuple_New(0); py_args = PyTuple_New(0);
py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args); py_value = PyObject_CallObject(
py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args);
Py_DECREF(py_args); Py_DECREF(py_args);
if (py_value != NULL) { if (py_value != NULL) {
@ -483,7 +485,7 @@ u8 queue_get_py(const u8* filename) {
int ret = PyObject_IsTrue(py_value); int ret = PyObject_IsTrue(py_value);
Py_DECREF(py_value); Py_DECREF(py_value);
if (ret == -1) { if (ret == -1) {
PyErr_Print(); PyErr_Print();
@ -491,10 +493,10 @@ u8 queue_get_py(const u8* filename) {
} }
return (u8) ret & 0xFF; return (u8)ret & 0xFF;
} else { } else {
PyErr_Print(); PyErr_Print();
FATAL("Call failed"); FATAL("Call failed");
@ -516,7 +518,7 @@ void queue_new_entry_py(const u8* filename_new_queue,
py_value = PyString_FromString(filename_new_queue); py_value = PyString_FromString(filename_new_queue);
#endif #endif
if (!py_value) { if (!py_value) {
Py_DECREF(py_args); Py_DECREF(py_args);
FATAL("Failed to convert arguments"); FATAL("Failed to convert arguments");
@ -534,7 +536,7 @@ void queue_new_entry_py(const u8* filename_new_queue,
py_value = PyString_FromString(filename_orig_queue); py_value = PyString_FromString(filename_orig_queue);
#endif #endif
if (!py_value) { if (!py_value) {
Py_DECREF(py_args); Py_DECREF(py_args);
FATAL("Failed to convert arguments"); FATAL("Failed to convert arguments");
@ -545,8 +547,8 @@ void queue_new_entry_py(const u8* filename_new_queue,
PyTuple_SetItem(py_args, 1, py_value); PyTuple_SetItem(py_args, 1, py_value);
// Call // Call
py_value = PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], py_value =
py_args); PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], py_args);
Py_DECREF(py_args); Py_DECREF(py_args);
if (py_value == NULL) { if (py_value == NULL) {

2
src/afl-fuzz-run.c
View File

@ -662,7 +662,7 @@ void sync_fuzzers(char** argv) {
ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path);
close_sync: close_sync:
close(id_fd); close(id_fd);
closedir(qd); closedir(qd);
ck_free(qd_path); ck_free(qd_path);

6
src/afl-fuzz.c
View File

@ -119,7 +119,8 @@ static void usage(u8* argv0, int more_help) {
" if using QEMU, just use -c 0.\n\n" " if using QEMU, just use -c 0.\n\n"
"Fuzzing behavior settings:\n" "Fuzzing behavior settings:\n"
" -N - do not unlink the fuzzing input file (only for devices etc.!)\n" " -N - do not unlink the fuzzing input file (only for "
"devices etc.!)\n"
" -d - quick & dirty mode (skips deterministic steps)\n" " -d - quick & dirty mode (skips deterministic steps)\n"
" -n - fuzz without instrumentation (dumb mode)\n" " -n - fuzz without instrumentation (dumb mode)\n"
" -x dir - optional fuzzer dictionary (see README.md, its really " " -x dir - optional fuzzer dictionary (see README.md, its really "
@ -752,8 +753,7 @@ int main(int argc, char** argv, char** envp) {
if (get_afl_env("AFL_AUTORESUME")) { if (get_afl_env("AFL_AUTORESUME")) {
autoresume = 1; autoresume = 1;
if (in_place_resume) if (in_place_resume) SAYF("AFL_AUTORESUME has no effect for '-i -'");
SAYF("AFL_AUTORESUME has no effect for '-i -'");
} }

5
src/afl-showmap.c
View File

@ -730,9 +730,8 @@ int main(int argc, char** argv, char** envp) {
char** use_argv; char** use_argv;
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
if (getenv("AFL_QUIET") != NULL) if (getenv("AFL_QUIET") != NULL) be_quiet = 1;
be_quiet = 1;
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0) while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0)

42
src/afl-tmin.c
View File

@ -99,7 +99,6 @@ static volatile u8 stop_soon; /* Ctrl-C pressed? */
static u8 qemu_mode; static u8 qemu_mode;
/* /*
* forkserver section * forkserver section
*/ */
@ -533,7 +532,7 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
return 0; return 0;
} }
/* Handle crashing inputs depending on current mode. */ /* Handle crashing inputs depending on current mode. */
if (WIFSIGNALED(status) || if (WIFSIGNALED(status) ||
@ -822,14 +821,15 @@ finalize_all:
if (hang_mode) { if (hang_mode) {
SAYF("\n" cGRA " File size reduced by : " cRST SAYF("\n" cGRA " File size reduced by : " cRST
"%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST
"%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA
" Fruitless execs : " cRST "termination=%u crash=%u\n\n", " Fruitless execs : " cRST "termination=%u crash=%u\n\n",
100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", 100 - ((double)in_len) * 100 / orig_len, in_len,
((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, in_len == 1 ? "" : "s",
missed_paths, missed_crashes); ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs,
return; missed_paths, missed_crashes);
return;
} }
@ -1146,7 +1146,8 @@ int main(int argc, char** argv, char** envp) {
case 'e': case 'e':
if (edges_only) FATAL("Multiple -e options not supported"); if (edges_only) FATAL("Multiple -e options not supported");
if (hang_mode) FATAL("Edges only and hang mode are mutually exclusive."); if (hang_mode)
FATAL("Edges only and hang mode are mutually exclusive.");
edges_only = 1; edges_only = 1;
break; break;
@ -1232,12 +1233,13 @@ int main(int argc, char** argv, char** envp) {
break; break;
case 'H': /* Hang Mode */ case 'H': /* Hang Mode */
/* Minimizes a testcase to the minimum that still times out */ /* Minimizes a testcase to the minimum that still times out */
if (hang_mode) FATAL("Multipe -H options not supported"); if (hang_mode) FATAL("Multipe -H options not supported");
if (edges_only) FATAL("Edges only and hang mode are mutually exclusive."); if (edges_only)
FATAL("Edges only and hang mode are mutually exclusive.");
hang_mode = 1; hang_mode = 1;
break; break;
@ -1314,14 +1316,18 @@ int main(int argc, char** argv, char** envp) {
run_target(use_argv, in_data, in_len, 1); run_target(use_argv, in_data, in_len, 1);
if (hang_mode && !child_timed_out) if (hang_mode && !child_timed_out)
FATAL("Target binary did not time out but hang minimization mode " FATAL(
"(-H) was set (-t %u).", exec_tmout); "Target binary did not time out but hang minimization mode "
"(-H) was set (-t %u).",
exec_tmout);
if (child_timed_out && !hang_mode) if (child_timed_out && !hang_mode)
FATAL("Target binary times out (adjusting -t may help). Use -H to minimize a hang."); FATAL(
"Target binary times out (adjusting -t may help). Use -H to minimize a "
"hang.");
if (hang_mode) { if (hang_mode) {
OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode."); OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode.");
} else if (!crash_mode) { } else if (!crash_mode) {